HITRUST intros analytics tools, CISO group to help with security assessments
HITRUST, the security standards development and certification organization, has launched new capabilities meant to help healthcare organizations perform better security assessments and shore up their risk mitigation postures.
WHY IT MATTERS
The group has developed a new automated quality verification tool, and updated its maturity scoring models to help health organizations better assess where they stand with internal and third-party risk management.
It has also convened a new board subcommittee, comprising chief information security officers and other IT leaders, to offer quality governance and oversight for its CSF Assurance Program.
HITRUST has released what it calls Assurance Advisories, with updated assessment scoring rubric and control maturity weightings. The new criteria help organizations and their assessors thanks to improved usability, added clarity, and better harmonization with HITRUST’s Risk Analysis Guide, officials say.
Key changes include adding definitions for assessment terminology, assessment examples and guidance, and inclusion of a scoring lookup table for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
The PRISMA model has also been updated, with new weightings that better reflect the value that each maturity level brings to an organization’s risk management stance, according to HITRUST.
In addition, the group has also introduced a new automated quality checking tool, within HITRUST's MyCSF platform. Officials explain that dozens of automated routines will help identify potential issues prior to submissions of a given assessment.
Any potential inconsistencies, compliance gaps or other issues will be brought to the attention of organizations and their assessors before assessments are submitted for review. The technology also helps HITRUST check quality assurance more quickly and efficiently, reducing the lead time between submission and report issuance.
THE LARGER TREND
HITRUST says these new capabilities offer advantages such as centralized assurance and compliance for HITRUST CSF reporting – enabling those reports to be more consistent and more reliable.
By incorporating assessment requirements and guidance, assessor training and automated quality assurance reviews, HITRUST is better able to continuously monitor adherence by assessed entities, assessor firms and its own assurance team, it says. And centralized reporting and oversight enables continuous improvement to each aspect of the HITRUST CSF Assurance Program.
To help provider governance and oversight for the program, the new quality assurance subcommittee of the HITRUST board features three longtime security leaders: Robert Booker, CISO of UnitedHealth Group; Mike Calhoun, director of benefit plan and supplier governance at AT&T and Kevin Charest, CISO of Health Care Service Corporation.
That subcommittee will be briefed on key indicators quarterly by HITRUST’s Vice President of Assurance, Bimal Sheth, and HITRUST’s Vice President of Compliance, Jeremy Huval, according to the company.
ON THE RECORD
"I view the role of the quality subcommittee similar to that of an audit committee," said Ken Vander Wal, HITRUST’s chief compliance officer and chairman of the new QA subcommittee. "It will independently review what controls and processes HITRUST has in place to ensure quality and consistency across the entire program, review metrics used by HITRUST to measure quality at every level of the process, provide feedback where changes are required, and make recommendations for process improvements when appropriate."